skip to navigation skip to content

Privacy and Cookie Policy

Privacy Policy

This policy relates to personal data, as defined by the Data Protection Act 1998, held for administration of University of Cambridge password management.

The password management system ( holds database records of users and audit trails of changes to user passwords and resetting options. It does not record the actual password values in any form. The actual passwords are held only in University Information Services (UIS) systems that require them, which includes Raven, Hermes and the Managed Cluster Service. The user data originates from Lookup ( and the web forms.

The information is used for the following purposes:

  • To allow users to see all changes made to their password and password resetting options, including details of who made each change, and where each change originated.
  • To allow users with password resetting privileges to see all the changes they have made to other users' accounts.
  • To produce statistical reports for management purposes, such as for annual reports, and auditing.

The information is not used for any other purposes.

All personal data held in the system is visible to the users to which it relates. The data is also made available to administrative users with password resetting privileges, to allow them to perform their job. No information is passed on to other parties.

Access to administrative parts of the system is restricted to staff members who deal with problems with users' passwords. Those members of staff do not have access to users' passwords, but they may issue password reset tokens to allow passwords to be changed.

Our web server records details of every HTTPS interaction. For the first three months our web server logs contain the following:

  • IP Address of the connecting client.
  • Authenticated CRSid (after a successful Raven login).
  • Time stamp.
  • Request made.
  • jessionid cookie value (a hexadecimal number unique to your session)
  • Server's response code and number of bytes returned.

These logs do not contain any password values or password resetting option settings.

After three months, the IP address of the connecting client, and the authenticated userid are removed from our logs. The remaining log data is kept for a further 9 months.


This site uses one cookie essential for the operation of the site:

Cookie Returned to Function Persistence
jsessionid Session management and authentication The duration of your browsing session, ending when your web browser application exits.

The value of the jsessionid cookie is a random hexadecimal number generated by our web server software. It is a session cookie that is stored for as long as your web browser application is open, closing the browser will delete this cookie. It is used by only and is not shared with other websites.

The session cookie enables us to remember the login state of the user as they use the password management system (